Skip to content
logo crunchbase
logo lacework
logo netskope
logo canva
logo alliant
logo vox-media
logo allbirds
logo notion
logo noom
logo turo
logo groupon
logo nuro
logo remote
logo crunchbase
logo lacework
logo netskope
logo canva
logo alliant
logo vox-media
logo allbirds
logo notion
logo noom
logo turo
logo groupon
logo nuro
logo remote
logo crunchbase
logo lacework
logo netskope
logo canva
logo alliant
logo vox-media
logo allbirds
logo notion
logo noom
logo turo
logo groupon
logo nuro
logo remote

If you’re an IT admin in charge of maintaining and managing more than a handful of Apple devices, you need some kind of mobile device management (MDM) solution. But there are many such solutions out there. How do you find the one that’s right for you and your organization? Here’s how we’d break down the alternatives.

First of all, to clear up our terms: We say “mobile device management,” but most of the solutions in that category can manage more than just mobile devices. The category originally evolved in response to the overwhelming popularity of the iPhone in the business world. Almost as soon as Apple introduced its smartphone to the world, business users began bringing it to work. Organizations needed a way to manage that ad hoc fleet. But now most Apple MDM solutions can handle anything from a desktop Mac to an Apple TV—as well as, yes, iPhone and iPad devices.

By “manage,” we mean controlling device settings, installing and configuring apps, enforcing security policies, and monitoring device usage (among other things). MDM solutions give IT teams a centralized platform that provides visibility into the organization’s Apple fleet and ensures that those devices are secure and in compliance. And they can do all that at scale and remotely.

It’s also important to understand that, in the context of Apple devices, MDM means compatibility with Apple’s MDM framework. But most MDM solutions do more than that framework allows, by means of agents and other tools.

The Benefits of Using MDM

MDM offers several distinct advantages to IT teams.

Screenshot of Auto Apps

Remotely Manage Devices

Mobile device management allows admins to manage large numbers of devices simultaneously, regardless of where those devices are located. That makes it ideal for today’s distributed workplace, where employees may be scattered geographically.

Apple MDM solutions enable IT admins to push updates, software patches, security fixes, and other configurations and settings to end-user devices automatically. That's good for users, too, who can as a result enjoy up-to-date software and settings without having to manage those updates and patches themselves.

By enabling easy or automated software updates, MDM solutions can also improve the overall security posture of the organization, reducing the risk of data breaches or other security incidents. And they can be an important ally in maintaining device compliance.

Users can also get up and running quickly on new devices, because IT admins can deploy devices so they’re pre-configured to meet user needs the first time they’re started up.

Show more

Increase IT Productivity

MDM makes IT teams more productive by streamlining and automating many of their processes.

For example, manually configuring devices one at a time is obviously time-consuming and error-prone, not to mention completely impractical at scale. Thanks to automation, MDM saves admins time deploying and managing apps, configurations, and updates to managed devices.

MDM can also provide tools to quickly identify and address potential problems before they escalate, preventing downtime and increasing overall device uptime.

MDM solutions can give admins a unified view of device inventory and usage, enabling them to identify underutilized or obsolete devices, which can then be decommissioned, freeing up resources and reducing unnecessary costs.

For IT teams that have been tasked with implementing security measures, MDM can help enforce security policies and monitor compliance across all devices, reducing the risk of security breaches and data loss—which are, if nothing else, costly and time-consuming to remediate.

Show more

Lower Cost of Ownership

Saving time means saving money. But in addition to minimizing downtime for users and providing a single point of control, MDM can also help extend the life of Apple devices by letting IT teams track device usage and optimize deployments.

Fundamental Apple MDM Features

While functionality can vary, MDM solutions do tend to share a few core capabilities.

Device Enrollment

MDM solutions offer a few ways of enrolling devices—meaning putting those devices under management:

  • Automated enrollment: Automated enrollment lets IT teams deploy settings, policies, and apps to devices remotely, without manual intervention. In the Apple world, this process is known as Automated Device Enrollment (ADE) and starts with adding devices to Apple Business Manager (or, in education settings, Apple School Manager). It streamlines setup and gives admins the confidence that devices will be enrolled and under management as soon as they are activated. This is the golden path, the best way to enroll devices if you can.
  • Device enrollment: Some company-owned devices may not be in Apple Business Manager (or Apple School Manager), and so can’t be added by ADE. But they can still be enrolled in MDM manually, often by means of having users visit an enrollment portal. Device enrollment can enforce supervision, which gives admins extensive control over the device.
  • User enrollment: Not as universally supported as those first two, User Enrollment allows employees to use personal Apple devices for work purposes, while still allowing IT admins to manage and secure corporate data.

You can also enroll devices using Apple Configurator. This is less scalable than ADE, but it is useful in certain cases. Apple Configurator for iPhone can provisionally enroll Mac computers into Apple Business Manager (or Apple School Manager)—”provisionally” in the sense that the user of the device has 30 days to release the device from management.

Ideally, an MDM solution provides tools for customizing the enrollment process. This means supporting things like:

  • Branding and customization: MDM solutions may allow IT admins to customize the screens users see during enrollment with things like the company logo. This helps to create a consistent and professional experience for end-users during that enrollment process.
  • Pre-configured settings and policies: Many solutions let admins define settings and policies for the enrollment process, things like Wi-Fi settings, email configurations, security policies, and more. This means devices can be configured correctly from the get-go.
  • Third-party integrations: MDM solutions may support integrations with third-party solutions that are specifically relevant to the enrollment process—things like inventory or HR systems. (For more on integrations, see below.)

Automation

Good MDM solutions offer a range of tools to help automate management processes. Those tools can include:

  • Automated enrollment: As mentioned above, most MDM solutions offer automated enrollment options that enable IT admins to automatically enroll devices in MDM as soon as they are activated.
  • Automated app deployment: Many MDM solutions also offer automated app deployment options, which enable IT admins to install and update apps on managed devices automatically. This obviates the need for end-users to install and update the software themselves.
  • Automated compliance monitoring: MDM solutions can monitor devices for compliance in real-time, automatically flagging any devices that fall out of compliance and, in the best cases, automatically remediating those lapses.
  • Automated security policies: MDM solutions can automatically enforce security policies across managed devices—things like enforcing passcode policies, configuring VPN settings, and more.

As we noted at the top, some MDM solutions rely on agents—always-on mini-apps running on Mac computers—to automate some processes that are outside the scope of the MDM framework. They are particularly helpful with offline remediations, because the agent can continue to ensure adherence to policies even when the device is out of touch with the MDM solution.

Apple itself is extending that basic MDM framework with the introduction of declarative device management (DDM), which will push some of the functionality currently handled by server-side automation tools down to devices themselves. Support for DDM is gaining traction among MDM vendors and will transform Apple device management in the years to come.

App management

MDM solutions typically offer tools to help manage the apps on user devices. That management can take many forms:

  • App deployment: As noted above, MDM solutions can help automate the deployment of apps to end-user devices. This can mean automatically installing apps on devices at setup and/or then updating those apps over time as new versions are available. Ideally, the solution can do so intelligently, installing one set of apps on one set of devices and another set on another.
  • App catalogs: Some solutions also let admins create and manage customized app catalogs for end-users, making it easier for those users to find and install the apps they need for work without resorting to downloading them from public sites and installing them manually.
  • Allow and block lists: In some cases, MDM solutions can maintain lists of apps that admins don’t want their users to install and enforce those bans when users try. Alternatively, the solution might allow the admin to create a list of apps that are allowed; if a user tries to install one that’s not on the list, the solution will prevent them from doing so.

One key to using MDM to distribute apps (as well as book content): Apple’s Apps and Books program, through which an organization can license and distribute that content. Access to that program comes through Apple Business Manager (or Apple School Manager), which we’ll get to in a minute. Ideally, the solution you choose supports multiple Apps and Books tokens. These provide greater flexibility (in terms of assigning and managing content for different users or groups), better control and security, and easier budgeting.

Managed OS

A good MDM solution should also give you control over updates and upgrades to the operating systems on end-user devices. That can include configuring devices so they automatically update to the latest version of the operating system as soon as it becomes available, or establishing rules for the deferment of OS updates, to give you time to test releases for compatibility with your existing software. Keeping managed devices current with the latest OSes is vital for security—but it can also introduce unexpected incompatibility issues. Your MDM solution should allow you to balance both.

Integrations

MDM solutions can’t operate in isolation; they have to exist—and thrive—in a wider software ecosystem.

At a minimum, they should integrate with Apple Business Manager (or Apple School Manager), to manage device deployment and automate device enrollment and take advantage of Apps and Books. They also need to integrate with the Apple Push Notification service (APNs), which, as a conduit for communications between the MDM solution and devices, is a cornerstone of Apple’s MDM infrastructure.

Ideally, the solution you choose can also integrate with other SaaS tools. For example, connecting your MDM to your identity provider (IdP) facilitates the integration of device and user stores, which in turn can let you do things like managing devices based on user attributes. Integration with an inventory management system can help coordinate the lifecycle of the devices in your fleet.

Compliance

One type of integration is particularly important: By integrating your MDM with security and compliance tools, you can automate the process of collecting compliance data and remediating security settings.

MDM can help you make sure—and provide proof that—you’re enforcing compliance requirements such as encryption, passcode policies, Lost Mode, Activation Lock, and more. Some may provide the ability to remotely wipe corporate data from lost or stolen devices. As noted above, your MDM solution may help you block the installation of unauthorized apps. More generally, it can collect the device information you need for compliance reporting.

Background Amber waves

Manage and secure your Apple devices at scale.

Supporting Different Devices with MDM

Clearly, you want your MDM solution to work with multiple types of Apple devices, managing macOS, iOS, iPadOS, and tvOS. Additionally, it should work with different types of Mac computers: those with Apple silicon and those with Intel processors. Additionally, a good Apple MDM solution will know how to manage iPad devices in a couple of specialized scenarios: Shared iPad and single-app mode (which some solutions call ‘kiosk mode’).

Some device management solutions go further, by managing non-Apple platforms, including Android and Windows. Such products—often dubbed “unified endpoint management,” or UEM— might seem attractive, allowing IT teams to manage all of their devices from a single console.

But we’d argue that UEM solutions actually do you a disservice, by providing less functionality for each platform than more specialized solutions. Because they have to cater to multiple platforms, they can’t be tailored to the unique features of each. In addition, they may be more complex to set up and manage, requiring more IT resources and expertise.

Single-platform MDM solutions, on the other hand, provide more focused and robust functionality for their respective platforms. This can mean a more streamlined, easier-to-use solution for IT teams.

How to Choose the Best MDM for Apple

So, how do you find the right MDM solution for your particular organization? It comes down to four considerations:

Feature requirements

Which features matter most to you? Which ones do you really need, and which are just nice-to-haves? Do you need to support multiple platforms (Apple, Windows, or Android) or just one? What other SaaS solutions do you use? What are your compliance requirements? A careful inventory of what you need to do now, coupled with a realistic forecast of where you might be two, three, or five years down the road should help you compile your feature-list.

Ease of Use

How sophisticated is your IT team? How much experience do they have with MDM? How big is it relative to the number of devices under management?

If you have a small and/or inexperienced team, you’re going to want an MDM solution that lets you manage devices with a simple graphical interface rather than relying on complex scripting or APIs. If, on the other hand, you have a savvy, well-staffed IT department, scripting and APIs can provide powerful management capabilities that will let you set and achieve the exact end state you want.

Scalability

Ideally, your company will be a lot bigger and more sophisticated down the road than it is now. If your organization has its eye on a brighter future, your MDM solution needs to be built to scale up as you do. It should be just as capable of managing thousands of Apple devices as it is of handling a few hundred.

Budget

Finally, how much MDM can you afford? Different solutions can have wildly different costs. Though most are based on a standard devices/month fee structure, the pricing can be complicated by add-ons that provide extra functionality. Some offer discounts, particularly at the low end, but here, as everywhere, you get what you pay for.

Evaluating Apple MDM Solutions

If, as we advise, you focus on Apple-specific MDM solutions, you’ve still got a wide range of choices. They include:

It’s also worth noting that Apple itself offers a solution for small businesses, Apple Business Essentials, the provides some device management along with other services (such as cloud storage). But it is not considered a direct competitor to the more MDM-focused solutions above.

Deciding on the MDM solution that works best for your organization and your IT team is one of the most consequential decisions you can make as an IT manager or admin. Taking the time now to carefully catalog what you need and to learn about your alternatives will pay huge dividends for many years to come.

About Kandji

Kandji is the Apple device management and security platform that empowers secure and productive global work. With Kandji, Apple devices transform themselves into enterprise-ready endpoints, with all the right apps, settings, and security systems in place. Through advanced automation and thoughtful experiences, we’re bringing much-needed harmony to the way IT, InfoSec, and Apple device users work today and tomorrow.

Background Amber waves

Manage and secure your Apple devices at scale.